{
	"id": "f3cbf4da-8e37-4d1f-a076-31dadd51dcfa",
	"created_at": "2026-04-06T01:31:13.627283Z",
	"updated_at": "2026-04-10T03:20:05.261113Z",
	"deleted_at": null,
	"sha1_hash": "2f605b35e8edb87b881a3ad3c5f20a59d2052e73",
	"title": "Back in Black... Basta | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1581377,
	"plain_text": "Back in Black... Basta | Zscaler\r\nBy Brett Stone-Gross\r\nPublished: 2022-12-01 · Archived: 2026-04-06 00:49:48 UTC\r\nKey Points\r\nBlackBasta emerged in February 2022 with double extortion ransomware attacks against organizations\r\nThe threat group exfiltrates sensitive information from organizations before performing file encryption and\r\ndemanding a ransom payment\r\nThe previous version of BlackBasta shared many similarities to the now defunct Conti ransomware,\r\nalthough the malware code itself was novel\r\nIn November 2022, BlackBasta ransomware received significant updates including the file encryption\r\nalgorithms, introduction of stack-based string obfuscation, and per victim file extensions\r\nThe ransomware code modifications are likely an attempt to better evade antivirus and EDR detection\r\nZscaler ThreatLabz has been tracking prominent ransomware families and their tactics, techniques and procedures\r\n(TTPs) including the BlackBasta ransomware family. On November 16, 2022, ThreatLabz identified new samples\r\nof the BlackBasta ransomware that had significantly lower antivirus detection rates. The latest BlackBasta code\r\nhas numerous differences compared to the original BlackBasta ransomware. The changes from the previous\r\nversion include replacing the file encryption algorithms and switching from the GNU Multiple Precision\r\nArithmetic Library (GMP) to the Crypto++ encryption library. Many of the malware’s strings have been\r\nobfuscated and the filenames have been randomized, which may hinder static-based antivirus detection and\r\nbehavioral-based EDR detection. This blog focuses on these recent changes to BlackBasta. Since the current\r\nBlackBasta codebase is quite different from the original, ThreatLabz refers to this new version as BlackBasta 2.0.\r\nTechnical Analysis\r\nThe following sections analyze the changes to the BlackBasta ransomware including the string obfuscation, file\r\nencryption and compare various features that have been added, removed or modified.\r\nString Obfuscation \r\nSimilar to Conti ransomware, the BlackBasta ransomware developer appears to be experimenting with stack-based string obfuscation using ADVObfuscator. Figure 1 shows an example obfuscated string that is constructed\r\non the stack and decoded using an XOR operation with a single byte.\r\nhttps://www.zscaler.com/blogs/security-research/back-black-basta\r\nPage 1 of 10\n\nFigure 1. BlackBasta 2.0 stack-based string obfuscation example\r\nCurrently, not all strings in the ransomware are obfuscated, but it is likely that more strings will be obfuscated\r\nsoon.\r\nFile Encryption\r\nPerhaps the most significant modifications in BlackBasta 2.0 is to the encryption algorithms. Previous versions of\r\nBlackBasta ransomware used a per victim asymmetric 4,096-bit RSA public key and a per file ChaCha20\r\nsymmetric key. The RSA algorithm was implemented using the GNU Multiple Precision Arithmetic Library\r\n(GMP). In the latest version of BlackBasta ransomware, the encryption algorithms have been replaced with\r\nElliptic Curve Cryptography (ECC) and XChaCha20. The encryption library used to implement these algorithms\r\nin BlackBasta 2.0 is Crypto++. The elliptic curve used by BlackBasta 2.0 is NIST P-521 (aka secp521r1). An\r\nexample hardcoded NIST P-521 public key embedded in a BlackBasta 2.0 sample is shown below:\r\nPublic-Key: (521 bit)\r\npub:\r\n 04:00:52:1f:d8:b3:65:b7:9c:30:bd:fa:1c:88:cc:\r\n 77:77:81:f6:50:9d:d9:17:8d:17:d8:fa:3a:8c:b0:\r\n f2:6f:87:21:0c:95:db:94:f5:9c:bf:fd:ca:f0:8d:\r\n 19:6a:9c:2f:9f:4b:96:20:31:95:41:54:3e:92:43:\r\n ed:7b:d1:81:8c:58:78:01:2e:31:b8:02:7a:c1:b9:\r\n 7f:2f:b4:b2:ba:aa:df:ed:68:a2:df:eb:90:4a:4f:\r\n da:28:10:db:f5:ae:12:08:cf:dd:1f:10:80:48:00:\r\n 32:38:1d:23:40:0c:ca:05:2c:5c:d2:79:1d:ae:8f:\r\n 0a:74:a1:1c:79:b3:0c:38:21:aa:94:1a:4f\r\nASN1 OID: secp521r1\r\nNIST CURVE: P-521\r\nwriting EC key\r\n-----BEGIN PUBLIC KEY-----\r\nMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAUh/Ys2W3nDC9+hyIzHd3gfZQndkX\r\nhttps://www.zscaler.com/blogs/security-research/back-black-basta\r\nPage 2 of 10\n\njRfY+jqMsPJvhyEMlduU9Zy//crwjRlqnC+fS5YgMZVBVD6SQ+170YGMWHgBLjG4\r\nAnrBuX8vtLK6qt/taKLf65BKT9ooENv1rhIIz90fEIBIADI4HSNADMoFLFzSeR2u\r\njwp0oRx5sww4IaqUGk8=\r\n-----END PUBLIC KEY-----\r\nThe encryption process used by BlackBasta 2.0 leverages the Crypto++ Elliptic Curve Integrated Encryption\r\nScheme (ECIES) in Diffie-Hellman Augmented Encryption Scheme (DHAES) mode (also known as DHIES to\r\navoid confusion with the Advanced Encryption Standard) to generate a per file XChaCha20 and a hash-based\r\nmessage authentication code (HMAC). BlackBasta appends a 314-byte footer to files after encryption has been\r\ncompleted as shown below in Figure 2.\r\nFigure 2. Example BlackBasta 2.0 encrypted file footer\r\nThe first 133-bytes (in blue) are an ephemeral NIST P-521 public key generated per file. The next 56 bytes are an\r\nencrypted per file XChaCha20 32-byte key and 24-byte nonce (in green), followed by a 20-byte HMAC (in red).\r\nThis is followed by NULL byte padding and a two-byte value (in orange) for the size of the cryptographic\r\nmaterial. The last 12 bytes (in purple) are a marker (e.g., j4ftnwzxbrf), which changes per victim that the\r\nBlackBasta decryption tool can use to identify encrypted files.\r\nThe encryption process starts by generating an ephemeral NIST P-521 key pair. The corresponding private key is\r\nthen used to generate a shared secret with the hardcoded public key using the Diffie-Hellman algorithm. The result\r\nis passed to the key derivation function KDF2 to produce 72 pseudorandom bytes. The first 16-bytes are used as a\r\nHMAC key and the subsequent 56 bytes are used as an XOR key to encrypt the file’s XChaCha20 key and nonce\r\n(shown above in green). The per file XChaCha20 key and nonce are generated using the Crypto++ random\r\nnumber generator library. The HMAC is calculated with the ciphertext using the SHA1 hash algorithm. The result\r\ncan be used for message verification with the 20 bytes in the footer (shown in red).\r\nhttps://www.zscaler.com/blogs/security-research/back-black-basta\r\nPage 3 of 10\n\nTo optimize for speed, BlackBasta encrypts files differently with XChaCha20 based on the file's size. If the file is\r\nless than 5,000 bytes the full file is encrypted in blocks of 64 bytes. If the file size is greater than 64 bytes and not\r\nan even multiple of 64 bytes, the last 64 byte block will not be encrypted. If the file size is less than or equal to\r\n1,073,741,824 (0x40000000) bytes (i.e., 1GB), BlackBasta alternates encrypting 64 byte blocks followed by 128\r\nbytes that are skipped (i.e., not encrypted) until the end of the file is reached as shown in Figure 3.\r\nFigure 3. Example file with null bytes encrypted by BlackBasta 2.0 ransomware alternating between encrypted\r\nand unencrypted blocks\r\nIf the file is larger than 1GB, BlackBasta will first encrypt the first 5,064 bytes, skip 6,336 bytes, encrypt 64 bytes,\r\nskip 6,336 bytes, and so on until the end of the file has been reached. The XChaCha20 encryption code is shown\r\nin Figure 4.\r\nhttps://www.zscaler.com/blogs/security-research/back-black-basta\r\nPage 4 of 10\n\nFigure 4. BlackBasta 2.0 XChaCha20 file encryption code\r\nAfter encryption is complete, BlackBasta 2.0 renames the filename with a hardcoded per-victim extension such as\r\n.agnkdbd5y, .taovhsr3u or .tcw9lnz6q. The previous version of BlackBasta used only .basta for the encrypted file\r\nextension.\r\nThe encrypted ransom files’ icon image has also been modified from a white box to a red box as shown in Figure\r\n5.\r\nFigure 5. BlackBasta (original and new) encrypted file icon images\r\nWhile this change is rather small, this may be sufficient to bypass static signatures that antivirus products may use\r\nto detect BlackBasta.\r\nRansom Note\r\nBlackBasta 2.0 has modified the ransom note text as shown in Figure 6.\r\nhttps://www.zscaler.com/blogs/security-research/back-black-basta\r\nPage 5 of 10\n\nFigure 6. Example BlackBasta 2.0 ransom note (November 2022)\r\nThe ransom note filename has also changed from readme.txt to instructions_read_me.txt. BlackBasta 2.0 opens\r\nthe ransom note in Windows Notepad via the command cmd.exe /c start /MAX notepad.exe.\r\nBlackBasta Feature Parity\r\nTable 1 compares the features between BlackBasta versions 1.0 and 2.0.\r\nFeature BlackBasta 1.0 BlackBasta 2.0\r\nEncryption library GMP Crypto++\r\nAsymmetric encryption 4,096-bit RSA NIST P-521\r\nSymmetric encryption ChaCha20 XChaCha20\r\nhttps://www.zscaler.com/blogs/security-research/back-black-basta\r\nPage 6 of 10\n\nChange encrypted file icon Yes Yes\r\nEncrypted file extension .basta .[a-z0-9]{9}\r\nChange desktop wallpaper Yes No\r\nReadme filename readme.txt instructions_read_me.txt\r\nString obfuscation No Yes\r\nTerminate processes and services Yes No\r\nDelete shadow copies Yes Yes / No (varies between samples)\r\nEncrypted file icon name fkdjsadasd.ico fkdjsadasd.ico\r\nMutex name dsajdhas.0 ofijweiuhuewhcsaxs.mutex\r\nTable 1. Feature parity between BlackBasta 1.0 and BlackBasta 2.0\r\nIn addition to the aforementioned differences, BlackBasta 2.0 no longer changes the victim’s desktop wallpaper,\r\nnor terminates processes and services that may interfere with file encryption. The mutex name has also been\r\nupdated.\r\nThe number of command-line parameters has also been modified as shown in Table 2.\r\nCommand-line\r\nparameter\r\nBlackBasta 1.0\r\nBlackBasta\r\n2.0\r\nDescription\r\n-threads No Yes Number of threads to use for encryption\r\n-nomutex No Yes Do not create a mutex\r\nhttps://www.zscaler.com/blogs/security-research/back-black-basta\r\nPage 7 of 10\n\n-forcepath Yes Yes Encrypt files in the specified path\r\n-bomb\r\nYes (in newer\r\nbuilds)\r\nNo\r\nSpread via ActiveDirectory and launch\r\nransomware\r\nTable 2. Comparison between BlackBasta command-line parameters\r\nConclusion\r\nMembers of the Conti ransomware group appear to have splintered into multiple threat groups including\r\nBlackBasta, which has become one of the most significant ransomware threats. ThreatLabz has observed more\r\nthan five victims that have been compromised by BlackBasta 2.0 since the new version’s release in mid November\r\n2022. This demonstrates that the threat group is very successful at compromising organizations and the latest\r\nversion of the ransomware will likely enable them to better evade antivirus and EDRs.\r\nCloud Sandbox Detection\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to\r\nBlackBasta at various levels with the following threat names:\r\nWin32.Ransom.BlackBasta\r\nhttps://www.zscaler.com/blogs/security-research/back-black-basta\r\nPage 8 of 10\n\nWin32.Ransom.Blackbasta.LZ\r\nELF64.Ransom.BlackBasta\r\nIndicators of Compromise\r\nSHA256 Hash Description\r\ne28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757\r\nBlackBasta 2.0 sample\r\n(executable)\r\nc4c8be0c939e4c24e11bad90549e3951b7969e78056d819425ca53e87af8d8ed\r\nBlackBasta 2.0 sample\r\n(executable)\r\n350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd\r\nBlackBasta 2.0 sample\r\n(executable)\r\n51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e\r\nBlackBasta 2.0 sample\r\n(DLL)\r\n07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799\r\nBlackBasta 2.0 sample\r\n(DLL)\r\nThese IOCs are also provided in the ThreatLabz GitHub repository here.\r\nExplore more Zscaler blogs\r\nZscaler ThreatLabz 2024 Phishing Report\r\nThe Threat Prevention Buyer's Guide\r\nhttps://www.zscaler.com/blogs/security-research/back-black-basta\r\nPage 9 of 10\n\nSource: https://www.zscaler.com/blogs/security-research/back-black-basta\r\nhttps://www.zscaler.com/blogs/security-research/back-black-basta\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/back-black-basta"
	],
	"report_names": [
		"back-black-basta"
	],
	"threat_actors": [],
	"ts_created_at": 1775439073,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f605b35e8edb87b881a3ad3c5f20a59d2052e73.pdf",
		"text": "https://archive.orkl.eu/2f605b35e8edb87b881a3ad3c5f20a59d2052e73.txt",
		"img": "https://archive.orkl.eu/2f605b35e8edb87b881a3ad3c5f20a59d2052e73.jpg"
	}
}